Safe, Dead or Lucky? (Knowing Good From Bad)

It’s a pleasantly singsongy warning about the similarity between King snakes and Coral snakes: Both can live in the same general area, but while one is harmless (the King snake on the right) the other possesses the most potent venom of any New World snake and will kill you (the Coral snake on the left) .

Let’s leave that for a second and look at some data points for “IT configurations.” We can loosely describe these configurations as the “port, function, service, memory, and operating settings that determine How, When and With Whom our IT systems operate.” Take a gander:

Basic Windows operating systems, for either desktops or servers, have more than65,500 different ports and “listening points”

Device configurations (firewalls, routers, storage systems) have an average of 2000 lines of code for each device, much of it representing configuration states

Each device configuration can contain hundreds of parameters for about 20 different IP protocols and technologies that need to work together

A large global enterprise can easily have over 50 million lines of configuration code in its network

Gartner Group has estimated that 65% of recorded cyber-attacks exploit systems whose vulnerabilities were introduced by configuration errors

Beneath all these interesting data points we find the fundamental contradiction of modern IT security:

Maximized and competitive productivity requires a highly porous, flexible and highly interconnected world… but Information Security requires strict control to mitigate and address the risks from limitless productivity. (See this well-stated blog post from HP’s Rafal Los on this contradiction.)

IT security configuration management is an awful lot like managing Coral snakes and King snakes. A casual glance does no good in determining which is deadly and which is actually pretty nice to have around. (Non-venomous King snakes eat other snakes and are often immune to venom from regional competitors like rattlesnakes.) If you have any doubt about which of these is lying in your path you’ll probably go around it – which kills your productivity – or spend unnecessary energy whacking it with a giant stick (which brings greater risk).

IT security practitioners need concise, rapid, and easily understandable assessments of their IT security configurations, and they need access to them at all times. Did a staff member deploying a new application enable a Telnet session and leave it open? Does an un-patched Windows 2008 R2 system have an unsecured Port 445 that’s quietly accessible to a hack? (Can you say “Conficker”?)

How about this test? Is this “configuration failure” good or bad?

The answer is of course “It depends.” Configuration details look painfully, numbingly similar. But when we capture them continuously, and use prepackaged intelligence to understand that a failure of the “Always Exit” rule leaves a system uniquely vulnerable to unauthorized access, we gain a much better understanding of whether the state of this particular configuration item is “Good or Bad”.

When we add to this assessment a deep understanding of the levels of risk and priority associated with the asset in question, we gain a whole new level of awareness. If the example above is on a file system that’s not well protected (because many users interact with it) but also has privileged information on it, our assessment changes. With this information married to the “configuration state” information we can not only tell good from bad, but we can also tell how bad is bad.

When security configuration management is done right, and integrated with real-time change monitoring, we can immediately tell whether the recently modified CI curled up in our code is an unexpected but helpful King snake…